iPhones and Android Phones & HIPAA Encryption
There is an understandable level of confusion regarding HIPAA encryption for iPhones and Android phones. The confusion arises because the HIPAA Security Rule categorizes the encryption of Protected Health Information (PHI) as an “addressable” requirement when PHI is communicated externally from a covered entity’s communications network. This categorization alone puts in place three problems about HIPAA encryption for iPhones and Android devices:
- What health data is protected and what is not?
- How does an “addressable” obligation differ from a “required” requirement?
- How is a covered entity´s communications network classified?
The problems are further complicated by exclusions to the HIPAA Security Rule that are in place for physician/patient communications and because encryption alone does not make a Smartphone used in healthcare HIPAA compliant. This article looks into the questions mentioned above, explains why HIPAA encryption for iPhones and Android phones is not enough to make a Smartphone used in healthcare HIPAA-compliant, and offers a solution to minimize the risk of PHI breaches.
Protected Health Information is classified by the HIPAA Privacy Rule as any individually identifiable health information that is managed or transmitted in any form – including oral communications that are created or received by a healthcare group. The data can relate to the past, present or future physical or mental condition of an individual; the provision of health care to an individual, or payment for that health treatment.
Along with being orally communication, individually identifiable health data can be written or included in an image or video; and can include such details as names, addresses (even a zip code), email addresses, telephone numbers, social security numbers and vehicle license plate details.
The failure to safeguard the integrity of PHI in transit can result in confidential information being intercepted and/or compromised. If in doubt, healthcare groups should always treat any individually identifiable health information as PHI unless authorization has been given by the patient for their information to be made publically available. Such instances would include for research and marketing reasons.
Some in the healthcare sector have taken the approach that because a requirement is not “required”, its implementation is not essential in order to become HIPAA compliant. It is vital to emphasize that this is not the case at all.
“Addressable” obligations have to implemented as if they were “required” requirements unless (a) an alternative security measure is implemented that accomplishes the same purpose, or (b) it can be demonstrated that the security measure is not necessary to safeguard the integrity of PHI.
In respect of HIPAA encryption for iPhones and Android devices, it would be very hard to think of a scenario in which a suitable alternative to encryption could be deployed, and almost impossible to conceive a situation in which the transmission of PHI without encryption would be ok – subject to the explanation of a covered entity’s communications network provided here.
The term “covered entity’s communications network” refers to an internal electronic communications network that is safeguarded from the outside world by an appropriate firewall. Once an email, an SMS or an Instant Message is transmitted outside of the firewall, the communication is considered to have left the network.
Protecting communications including PHI behind a firewall is possibly the only time when HIPAA encryption for iPhones and Android phones could be avoided. However, it is an impractical situation. The owners of the Smartphones would never be able to send outside of the covered entity´s network or send messages over a public 3G or WiFi service.
This would mean it would be impossible to send any individually identifiable health information to on call doctors or speak about patient healthcare with nurses employed in the community. Effectively, HIPAA encryption for iPhones and Android phones is a necessity unless healthcare groups ban the use of Smartphones in the workplace or stop sending PHI altogether.
Forbidding the use of Smartphones in the workplace would create a major communication issue for healthcare groups. Studies show that four-out-of-five physicians and three-out-of-four nurses use a personal Smartphone to support their workloads. Cutting out the speed and convenience of Smartphones would be detrimental to productivity.
A solution to this issue is the implementation of a secure messaging system. Secure messaging systems behave in an identical manner to commercially available messaging apps, but adhere with the requirements of the Security Rule with regard to HIPAA encryption for iPhones and Android phones while PHI is on the move.
However, the problem of HIPAA compliance is not addressed by encryption alone. HIPAA encryption for iPhones and Android phones is just one part of the Security Rule that has to be addressed in order to be compliant. Consequently secure messaging solutions also meet the criteria included in the administrative, physical and technological safeguards for sending PHI in compliance with HIPAA.